setup when ssl upstream or a cert-bundle is configured.

git-svn-id: file:///svn/unbound/trunk@4692 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index e46e7aad626e0ff1beee334644e190599099879b..d37a7ac69339ed645add02358902350cc86f6da7 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -2,7 +2,7 @@
        - Fix that libunbound can do DNS-over-TLS, when configured.
        - Fix that windows unbound service can use DNS-over-TLS.
        - unbound-host initializes ssl (for potential DNS-over-TLS usage
-         inside libunbound).
+         inside libunbound), when ssl upstream or a cert-bundle is configured.
 
 23 May 2018: Wouter
        - Use accept4 to speed up incoming TCP (and TLS) connections,

diff --git a/libunbound/libworker.c b/libunbound/libworker.c
index 84ac6aed60b4f0771d935f6e299f2c9712ed3bdd..4aa9656af20340560d9fc561c57e5919fadeebe3 100644 (file)
--- a/libunbound/libworker.c
+++ b/libunbound/libworker.c
@@ -158,12 +158,14 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
                hints_delete(w->env->hints);
                w->env->hints = NULL;
        }
-       w->sslctx = connect_sslctx_create(NULL, NULL,
-               cfg->tls_cert_bundle);
-       if(!w->sslctx) {
-               /* to make the setup fail after unlock */
-               hints_delete(w->env->hints);
-               w->env->hints = NULL;
+       if(cfg->ssl_upstream || (cfg->tls_cert_bundle && cfg->tls_cert_bundle[0])) {
+               w->sslctx = connect_sslctx_create(NULL, NULL,
+                       cfg->tls_cert_bundle);
+               if(!w->sslctx) {
+                       /* to make the setup fail after unlock */
+                       hints_delete(w->env->hints);
+                       w->env->hints = NULL;
+               }
        }
        if(!w->is_bg || w->is_bg_thread) {
                lock_basic_unlock(&ctx->cfglock);